Spain Bans Palantir and the US Supreme Court Kills FTC Independence: Europe's Digital Sovereignty Reaches a Breaking Point

Spain Bans Palantir and the US Supreme Court Kills FTC Independence: Europe's Digital Sovereignty Reaches a Breaking Point

tech-policyprivacyeudigital-sovereigntypalantirdata-transfer

Sources:web research + HN + Lobsters · HN

On July 1, the Spanish prime minister’s office issued a directive to a group of state-owned enterprises: no more new contracts with the American data analytics firm Palantir. Exactly one week earlier, the US Supreme Court ruled 6–3 in Trump v. Slaughter that the Federal Trade Commission’s 「independence」 is unconstitutional. Halfway across the world in Vienna, the privacy advocacy group noyb promptly declared that the legal foundation for 23 years of EU-US data transfer agreements 「is now dead.」

Two events on opposite sides of the Atlantic, seemingly unrelated. But place them side by side and a clear narrative emerges: Europe is no longer satisfied with writing laws, issuing statements, and expressing 「concern.」 It has started to act.

Spanish prime minister's office issues blacklist order, Palantir's Davos office Image: US software company Palantir in Davos, May 2022. Source: AFP / Clash Report

The Blacklist: Why Spain Said 「No」 to Palantir

Start with Spain. According to an exclusive report by the Spanish outlet El Confidencial, Moncloa (the prime minister’s office) used the state industrial holding company SEPI to deliver a clear directive to core state-owned enterprises including Telefónica, Indra, and Navantia: cease all future cooperation with Palantir.

These aren’t ordinary companies. Telefónica is Spain’s largest telecom operator, the backbone of the nation’s communications infrastructure. Indra is a defense technology firm involved in military command systems. Navantia is a military shipyard that builds warships and submarines. In plain terms, these are the 「pipes」 of Spanish national security — and Palantir is a company whose entire business model revolves around extracting patterns, correlations, and predictions from massive datasets. What it means to let an American company plug into those pipes is apparently something the Spanish government has now thought through clearly.

The blacklist is already doing real damage. A nearly finalized cooperation project between Navantia and Palantir was halted. A collaboration agreement between Palantir and the Guardia Civil was personally vetoed by Spain’s interior minister. On June 10, former French prime minister Sébastien Lecornu also publicly stated that France would stop working with the company. Inside Germany, there is growing momentum to procure the French competitor ChaosVision instead.

The Spanish military isn’t happy about this. Palantir currently holds a contract with the Spanish Armed Forces Intelligence Center (CIFAS) worth €16.5 million, expiring this November. Both Army and Navy chiefs of staff have been lobbying the defense minister to renew it, and their reasoning is blunt: the system genuinely works well. But the prime minister’s office has so far refused to budge.

Why is Spain turning hostile right now? The original report offers two threads. First, Palantir’s co-founder Peter Thiel and CEO Alex Karp have deep political and financial ties to the Trump administration, and Prime Minister Pedro Sánchez stands opposed to the new US administration on multiple fronts. Second, the Spanish government is already accelerating investment in its own technological alternatives — approving a €115 million investment in the Catalan chip company Openchip as part of a €5 billion mega-fab project. The blacklist isn’t an isolated move; it’s clearing space for domestic alternatives.

noyb's diagram depicting the EU-US data transfer framework as a house of cards Image: noyb likens the EU-US data transfer agreements to a 「house of cards.」 Source: noyb.eu

The Ruling: How the US Supreme Court Accidentally Undermined European Data Sovereignty

Now turn to Washington. To grasp the impact of this ruling, some background is necessary: since 1995, EU law has prohibited the arbitrary transfer of EU citizens’ personal data to third countries with 「inadequate」 protections. In other words, whether the email you send from Gmail in Paris, the Airbnb you book in Milan, or the Salesforce your company uses in Berlin can legally be stored on US servers all depends on whether the EU considers American data protection 「adequate.」

To bridge this gap, the EU and US have built three successive frameworks: Safe Harbour (2000), Privacy Shield (2016), and the Data Privacy Framework (2023). The first two bridges were struck down by the Court of Justice of the European Union (CJEU) on the grounds that US surveillance laws are overly broad and lack independent judicial remedies. The third bridge is barely standing — and it rests on one critical pillar: the independence of the FTC.

In the current Data Privacy Framework adequacy decision, the European Commission relies on the FTC as an 「independent supervisory authority」 no fewer than 259 times. That’s a staggering number. EU constitutional-level law (Article 16(2) TFEU and Article 8(3) of the Charter of Fundamental Rights) states in black and white: data protection supervisory authorities must be independent. In the absence of a comprehensive US privacy law, the FTC’s independence was essentially the entire reason the EU accepted that American protections were 「good enough.」

Then the US Supreme Court stepped in. On June 29, the conservative majority in Trump v. Slaughter adopted the so-called 「unitary executive theory,」 ruling that the FTC’s independence is unconstitutional — the president has the power to fire FTC commissioners at will, without cause. This means the FTC is no longer an 「independent」 agency but an executive branch body the president can directly control. For the EU, those 259 references instantly became 259 holes.

noyb founder Max Schrems — the Austrian who single-handedly brought down the first two frameworks through litigation — issued a statement after the ruling: 「Even by the European Commission’s own logic, the basis for any EU-US data transfer agreement has died. We call on the Commission to initiate an orderly exit from US cloud services. This isn’t simple, but it’s unavoidable.」

What makes this even more lethal is that the Supreme Court’s logic doesn’t stop at the FTC. If the principle that 「independent agencies are unconstitutional」 is applied broadly — and that is precisely the conservative justices’ intent — then the Data Protection Review Court (nominally a 「court」 but actually an internal DOJ body) and the Privacy and Civil Liberties Oversight Board (PCLOB), both previously offered as US privacy protection commitments, face the exact same legitimacy problem. The entire structure of EU trust in American data protection is a row of dominoes.

The CJEU building in Luxembourg — the institution that twice struck down EU-US data transfer agreements Image: The Court of Justice of the European Union (CJEU) in Luxembourg, which has twice annulled EU-US data transfer agreements. Source: noyb.eu

From Anxiety to Action: The Transatlantic Digital Cold War’s Turning Point

Stack these two events together and a significant pattern shift becomes visible.

For the past decade, Europe’s posture on digital sovereignty could be summed up as 「legislative anxiety」: GDPR was enacted, the Digital Markets Act was passed, the AI Act is advancing. The laws got thicker and thicker, but enforcement always lagged half a step behind. American tech companies continued to dominate the European market. EU citizens’ data continued flowing to US servers in massive quantities. So-called 「sovereignty」 remained largely on paper.

But the first week of July 2026 changed the tone. Spain didn’t issue a statement expressing 「concern about data security.」 It directly severed business ties with a key American technology company — and not just at the government level, but extending the order to state-controlled private enterprises as well. noyb sent a formal letter to the European Commission demanding the initiation of an exit process — not just another blog post analyzing 「problems with the framework.」

I don’t think this is a coincidence. Three forces are pushing simultaneously:

First: the Trump administration’s 「unpredictability」 has become a certainty. If Europe was still waiting and watching during 2016–2020, that waiting ended when Trump returned to the White House in 2025. When a US president can fire the heads of law enforcement agencies at will, overturn a predecessor’s political commitments by executive order, and have his Supreme Court provide constitutional cover for all of it, European policymakers can no longer premise their decisions on 「America will self-correct.」

Second: the boundary between data security and national defense security is dissolving. The core rationale for banning Palantir wasn’t privacy infringement — it was 「national security.」 Spain’s concern is about where military intelligence, communications data, and law enforcement information flow. When data analytics capability is itself a form of weaponry, outsourcing data capability is tantamount to outsourcing part of your defense capability. This is no longer a GDPR compliance question; it’s a sovereignty question.

Third: Europe is seriously building alternatives. Spain’s Openchip investment, Germany’s ChaosVision procurement, France’s 「sovereign cloud」 strategy — Europe is finally spending real money to build its own solutions instead of merely saying 「we don’t want American ones.」 When a market of alternatives begins to take shape, 「blacklisting」 shifts from a political gesture to a viable business choice.

Who Is the Villain?

This digital cold war has no single villain, but there is a clear polarity: on one side, the expansion of presidential power under America’s 「unitary executive theory」 — a president who can control all enforcement and regulatory agencies at will, when the EU precisely needs those agencies to be 「independent」 to trust America. On the other side, Europe’s shift from passive compliance to active blockage — using executive orders and political decisions to directly sever dependencies rather than following the old path of slow, court-by-court litigation.

There’s another telling detail about Spain’s ban: it was delivered 「quietly.」 The government issued no press release, held no press conference. It was communicated layer by layer through SEPI’s internal channels. Which is precisely the point: a serious action doesn’t need a performance.

What Happens Next

In the short term, there won’t be a 「pull-the-plug」 style data decoupling. Even if noyb demands that the European Commission withdraw its recognition of US data protections, the Commission will most likely choose to stall, negotiate, and search for technical patchwork solutions. Article 49 of the GDPR permits necessary data transfers (such as hotel bookings and cross-border payments), so most day-to-day commercial activity won’t grind to a halt overnight.

But in the medium term — one to three years — the changes will be irreversible. EU businesses are already receiving legal advice: even if you use Standard Contractual Clauses (SCCs) rather than the Data Privacy Framework, your cross-border data Transfer Impact Assessment typically relies on assumptions about FTC and PCLOB independence. Those assessments now need to be rewritten, and the rewritten conclusion will likely be: no.

Max Schrems put it plainly: 「We call on the Commission to initiate an orderly exit from US cloud services.」 He said 「cloud」 — and more than 70% of Europe’s cloud market is in the hands of American companies. This isn’t an easy pivot, but Schrems’s words represent an increasingly mainstream European consensus: rather than patch together trust in an untrustworthy partner, build your own.

Spain’s blacklisting of Palantir and the death of FTC independence are, at their core, two expressions of the same logic on opposite sides of the Atlantic: control over digital infrastructure has become, like territory, military force, and currency, an inalienable component of national sovereignty. In July 2026, this realization moved from legal text into executive order.

Reference links: